Requirements

Name	Version
terraform	>= 1.1.5
aws	~> 5.38

Providers

Name	Version
aws	5.18.1
aws.eu-west-2	5.18.1
aws.global	5.18.1

Modules

Name	Source	Version
billing	./modules/default_roles	n/a
breakglass	./modules/default_roles	n/a
ci	./modules/default_roles	n/a
cloudtrail	./modules/cloudtrail	n/a
cloudwatch_loginsights_cis_queries_opg	./modules/cis_queries	n/a
cloudwatch_loginsights_cis_queries_provisioned	./modules/cis_queries	n/a
cloudwatch_reporting	./modules/default_roles	n/a
cost_anomaly_detection	./modules/ce_anomaly_detection	n/a
custom_cloudwatch_alarms	./modules/custom_cloudwatch_alarms	n/a
custom_cloudwatch_alarms_vendored	./modules/custom_cloudwatch_alarms	n/a
eu-west-1	./modules/region	n/a
eu-west-2	./modules/region	n/a
operator	./modules/default_roles	n/a
security_hub	./modules/security_hub	n/a
slack_notifications	./modules/slack_notifications	n/a
viewer	./modules/default_roles	n/a

Resources

Name	Type
aws_account_alternate_contact.operations	resource
aws_account_alternate_contact.security	resource
aws_account_primary_contact.main	resource
aws_ebs_encryption_by_default.enabled	resource
aws_guardduty_detector.main	resource
aws_iam_account_alias.main	resource
aws_iam_account_password_policy.strict	resource
aws_iam_policy.aws_cost_explorer_access_for_billing	resource
aws_iam_policy.cloudwatch_reporting	resource
aws_iam_role.aws_srt_support	resource
aws_iam_role.config	resource
aws_iam_role.sns_failure_feedback	resource
aws_iam_role.sns_success_feedback	resource
aws_iam_role_policy.sns_failure_feedback	resource
aws_iam_role_policy.sns_success_feedback	resource
aws_iam_role_policy_attachment.aws_billing_access_for_operator	resource
aws_iam_role_policy_attachment.aws_cost_explorer_access_for_billing	resource
aws_iam_role_policy_attachment.aws_srt_support_managed_policy	resource
aws_iam_role_policy_attachment.aws_support_access_for_breakglass	resource
aws_iam_role_policy_attachment.managed_policy	resource
aws_oam_link.main	resource
aws_s3_account_public_access_block.block_all	resource
aws_shield_drt_access_role_arn_association.aws_srt_support_association	resource
aws_cloudwatch_log_group.cloudtrail_log_group_vendored	data source
aws_iam_policy_document.assume_role_policy	data source
aws_iam_policy_document.aws_cost_explorer_access_for_billing	data source
aws_iam_policy_document.aws_srt_support_assume_role_policy	data source
aws_iam_policy_document.cloudwatch_reporting_policy	data source
aws_iam_policy_document.sns_feedback_actions	data source
aws_iam_policy_document.sns_feedback_assume_policy	data source
aws_region.current	data source

Inputs

Name	Description	Type	Default	Required
account_name	Account Name	string	""	no
auto_enable_controls	Whether to automatically enable new controls when they are added to standards that are enabled	bool	true	no
aws_account_alternate_contact	The alternate contacts for the account.	object({ operations = object({ name = string title = string email_address = string phone_number = string }) security = object({ name = string title = string email_address = string phone_number = string }) })	n/a	yes
aws_account_primary_contact	The primary contact for the account.	object({ address_line_1 = string address_line_2 = string city = string company_name = string country_code = string phone_number = string postal_code = string state_or_region = string full_name = string })	n/a	yes
aws_config_enabled	n/a	bool	false	no
aws_iam_account_alias	The AWS IAM Account Alias to use for the account	string	n/a	yes
aws_s3_account_block_public_access_enable	Whether Amazon S3 should enable public blocks for buckets in this account. Defaults to False.	bool	false	no
aws_s3_account_block_public_acls	Whether Amazon S3 should block public ACLs for buckets in this account. Defaults to true.	bool	true	no
aws_s3_account_block_public_policy	Whether Amazon S3 should block public bucket policies for buckets in this account. Defaults to true.	bool	true	no
aws_s3_account_ignore_public_acls	Whether Amazon S3 should ignore public ACLs for buckets in this account. Defaults to true.	bool	true	no
aws_s3_account_restrict_public_buckets	Whether Amazon S3 should restrict public bucket policies for buckets in this account. Defaults to true.	bool	true	no
aws_security_hub_enabled	n/a	bool	false	no
aws_slack_cost_anomaly_notification_channel	Slack's internal ID for the channel you want to post cost anomalies to. Format AB1C2DEF	string	""	no
aws_slack_health_notification_channel	Slack's internal ID for the channel you want to post health alrets to. Format AB1C2DEF	string	""	no
aws_slack_notifications_enabled	Whether to enable alerting to slack. To be used with slack cost/health notification channel.	bool	false	no
billing_base_policy_arn	n/a	string	"arn:aws:iam::aws:policy/job-function/Billing"	no
billing_custom_policy_json	n/a	string	""	no
breakglass_base_policy_arn	n/a	string	"arn:aws:iam::aws:policy/AdministratorAccess"	no
breakglass_create_instance_profile	n/a	bool	false	no
breakglass_custom_policy_json	n/a	string	""	no
ci_base_policy_arn	n/a	string	"arn:aws:iam::aws:policy/AdministratorAccess"	no
ci_custom_policy_json	n/a	string	""	no
cis_foundation_alarms_enabled	Whether to create metrics alarms to support CIS Foundation compliance. Defaults to true.	bool	true	no
cis_foundation_control_1_14_enabled	When true, creates a metric filter and alarm for CIS.1.14. When false, sets standard control to disabled.	bool	false	no
cis_foundation_control_3_10_custom_filter	When provided, creates a custom metric filter and alarm for CIS.3.10 and disables the control in security hub.	string	""	no
cis_foundation_control_3_10_enabled	When true, creates a metric filter and alarm for CIS.3.10. When false, sets standard control to disabled.	bool	true	no
cis_foundation_control_3_11_enabled	When true, creates a metric filter and alarm for CIS.3.11. When false, sets standard control to disabled.	bool	true	no
cis_foundation_control_3_12_enabled	When true, creates a metric filter and alarm for CIS.3.12. When false, sets standard control to disabled.	bool	true	no
cis_foundation_control_3_13_enabled	When true, creates a metric filter and alarm for CIS.3.13. When false, sets standard control to disabled.	bool	true	no
cis_foundation_control_3_14_enabled	When true, creates a metric filter and alarm for CIS.3.14. When false, sets standard control to disabled.	bool	true	no
cis_foundation_control_3_4_enabled	When true, creates a metric filter and alarm for CIS.3.4. When false, sets standard control to disabled.	bool	true	no
cis_foundation_control_3_8_enabled	When true, creates a metric filter and alarm for CIS.3.8. When false, sets standard control to disabled.	bool	true	no
cis_metric_namespace	The destination namespace of the CIS CloudWatch metric.	string	"CISLogMetrics"	no
cloudtrail_bucket_name	trail name	string	"cloudtrail"	no
cloudtrail_trail_name	trail name	string	"cloudtrail"	no
config_continuous_resource_recording	Should the configuration recorder scan constantly or daily (set to false in dev accounts)	bool	true	no
control_finding_generator	Updates whether the calling account has consolidated control findings turned on	string	"STANDARD_CONTROL"	no
cost_anomaly_immediate_schedule_threshold	The value that triggers an immediate notification if the threshold is exceeded. By default, an absolute dollar value, but changing threshold_expression_type changes this to percentage.	string	"10.0"	no
cost_anomaly_notification_email_address	Email address to use to send anomaly alerts to	string	null	no
cost_anomaly_threshold_expression_type	Setting passed to the threshold_expression to determine if the value (weekly_schedule_threshold|immediate_schedule_threshold) is an absolute (ANOMALY_TOTAL_IMPACT_ABSOLUTE) or percentage (ANOMALY_TOTAL_IMPACT_PERCENTAGE)	string	"ANOMALY_TOTAL_IMPACT_ABSOLUTE"	no
cost_anomaly_weekly_schedule_threshold	The value that triggers a weekly notification if the threshold is exceeded. By default, an absolute dollar value, but changing threshold_expression_type changes this to percentage.	string	"100.0"	no
custom_alarms_breakglass_login_alarm_enabled	Enable or disable the breakglass login alarm	bool	true	no
enable_default_standards	Whether to enable the security standards that Security Hub has designated as automatically enabled	bool	false	no
enable_guardduty	n/a	bool	true	no
fsbp_standard_control_elb_6_enabled	When false, sets standard control to disabled.	bool	true	no
is_production	n/a	bool	false	no
modernisation_platform_account	IF this is a vendored account from the Modernisation Platform	bool	false	no
oam_xray_sink_identifier_arn	The identifier of the OAM Sink to duplicate XRay events to (if desired)	string	null	no
operator_base_policy_arn	n/a	string	"arn:aws:iam::aws:policy/ReadOnlyAccess"	no
operator_create_instance_profile	n/a	bool	false	no
operator_custom_policy_json	n/a	string	""	no
pagerduty_securityhub_integration_key	The PagerDuty integration key to subscribe to SecurityHub findings	string	null	no
product	n/a	string	n/a	yes
shield_support_role_enabled	Whether to create the Shield Support Role to allow AWS security engineers to access the account to assist with DDoS mitigation	bool	false	no
team_email	Team group email address for use in tags	string	"opgteam@digital.justice.gov.uk"	no
team_name	Name of the Team looking after the Service	string	"OPG"	no
user_arns	n/a	object({ view = list(string) operation = list(string) breakglass = list(string) ci = list(string) billing = list(string) cloudwatch_reporting = list(string) })	n/a	yes
viewer_base_policy_arn	n/a	string	"arn:aws:iam::aws:policy/ReadOnlyAccess"	no
viewer_custom_policy_json	n/a	string	""	no

Outputs

Name	Description
aws_sns_topic_ce_detection_immediate_schedule	n/a
aws_sns_topic_cis_aws_foundations_standard	n/a
aws_sns_topic_custom_cloudwatch_alarms	n/a
aws_sns_topic_slack_notification_failures	n/a